From 1e00bbb10cbde3da03a1e744265ce6def9ae4c56 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 13 May 2013 18:09:04 +0200 Subject: [PATCH] avcodec/lcldec: Check that dimensions are a multiple of the subsample factors Other dimensions would not work correctly currently, also ask for a sample for files that fail this check. This fixes an integer overflow leading to out of array accesses. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer --- libavcodec/lcldec.c | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/libavcodec/lcldec.c b/libavcodec/lcldec.c index 7948199802..ad7ef91e8d 100644 --- a/libavcodec/lcldec.c +++ b/libavcodec/lcldec.c @@ -42,6 +42,7 @@ #include #include "libavutil/mem.h" +#include "libavutil/pixdesc.h" #include "avcodec.h" #include "bytestream.h" #include "internal.h" @@ -482,6 +483,7 @@ static av_cold int decode_init(AVCodecContext *avctx) unsigned int max_basesize = FFALIGN(avctx->width, 4) * FFALIGN(avctx->height, 4); unsigned int max_decomp_size; + int subsample_h, subsample_v; if (avctx->extradata_size < 8) { av_log(avctx, AV_LOG_ERROR, "Extradata size too small.\n"); @@ -507,6 +509,10 @@ static av_cold int decode_init(AVCodecContext *avctx) max_decomp_size = max_basesize * 2; avctx->pix_fmt = AV_PIX_FMT_YUV422P; av_log(avctx, AV_LOG_DEBUG, "Image type is YUV 4:2:2.\n"); + if (avctx->width % 4) { + avpriv_request_sample(avctx, "Unsupported dimensions\n"); + return AVERROR_INVALIDDATA; + } break; case IMGTYPE_RGB24: c->decomp_size = basesize * 3; @@ -537,6 +543,12 @@ static av_cold int decode_init(AVCodecContext *avctx) return AVERROR_INVALIDDATA; } + av_pix_fmt_get_chroma_sub_sample(avctx->pix_fmt, &subsample_h, &subsample_v); + if (avctx->width % (1<height % (1<compression = (int8_t)avctx->extradata[5]; switch (avctx->codec_id) {